Late last week, a newly discovered security flaw on iOS–which extends to the most recent iOS 6 beta 4 operating system currently being seeded to iPhone developers at this time–shows that a glitch in the way Apple’s mobile operating system could lead users to click on malicious links sent through text messaging. Hacker pod2g demonstrated that as iOS only shows the reply-to SMS address or phone number, and not both the original address as well as the reply-to number, malicious hackers could potentially identify themselves as a contact in an iOS user’s phone book and send phony text messages. Users would then click on those messages and could potentially be taken to malicious links. The fix? According to Apple, users should use the proprietary iMessage service.
It’s unclear if Apple intends on fixing the security loophole by displaying both the original address as well as the reply-to address as proposed by pod2g in the final release of iOS 6 as well as on the iPhone 5, but for now, the company is just highlighting how much more secure its iMessage service is in a response to Engadget:
Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they’re directed to an unknown website or address over SMS.
It’s also unknown at this time if any one has been hit by the security vulnerabilities discovered by pod2g on an iPhone.
As it stands right now, be careful of what you click on if it is sent by text message, even if it seemingly comes from a recognizable name or contact number. Apple’s solution right now would be a temporary fix at best as it only works between users of iOS and Mac OS platforms; iPhone users cannot use iMessage to communicate with Android, BlackBerry, Symbian, or Windows Phone users at this time.